Access violation - pyc file

[PaweZduniak]

BPO	23281
Nosy	@brettcannon, @vstinner, @ericvsmith, @tjguk, @zware, @eryksun, @zooba
Files	test.pyc

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-01-20.14:22:57.741>
created_at = <Date 2015-01-20.07:35:28.997>
labels = ['invalid', 'OS-windows', 'type-crash']
title = 'Access violation - pyc file'
updated_at = <Date 2015-01-20.14:25:53.706>
user = 'https://bugs.python.org/PaweZduniak'

bugs.python.org fields:

activity = <Date 2015-01-20.14:25:53.706>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2015-01-20.14:22:57.741>
closer = 'brett.cannon'
components = ['Windows']
creation = <Date 2015-01-20.07:35:28.997>
creator = 'Pawe\xc5\x82.Zduniak'
dependencies = []
files = ['37785']
hgrepos = []
issue_num = 23281
keywords = []
message_count = 6.0
messages = ['234357', '234360', '234373', '234374', '234375', '234376']
nosy_count = 8.0
nosy_names = ['brett.cannon', 'vstinner', 'eric.smith', 'tim.golden', 'zach.ware', 'eryksun', 'steve.dower', 'Pawe\xc5\x82.Zduniak']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = None
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue23281'
versions = ['Python 2.7']

[PaweZduniak]

(950.e58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\python27.dll -
python27!PyEval_EvalFrameEx+0x1895:
1e0bcb45 8b74b00c mov esi,dword ptr [eax+esi*4+0Ch] ds:002b:0224207c=????????

[eryksun]

You attached a corrupt bytecode cache for stdlib bisect.py:

    >>> f = open('test.pyc', 'rb')
    >>> magic,tstamp = struct.unpack('<ll', f.read(8))
    >>> magic27 = 62211 | (ord('\r') << 16) | (ord('\n') << 24)
    >>> magic == magic27
    True
    >>> datetime.fromtimestamp(tstamp)
    datetime.datetime(2011, 3, 8, 2, 39, 36)
    >>> code = marshal.load(f)
    >>> dis.dis(code)
      1           0 LOAD_CONST               0 ('Bisection algorithms.')
                  3 STORE_NAME               0 (__doc__)

  3           6 LOAD_CONST               1 (0)
              9 LOAD_CONST               8 (None)
             12 LOAD_CONST               2 (<code object insort_right at 
                                            0x7f71bf596db0, file 
                                            "C:\Python27\Lib\bisect.py", 
                                            line 3>)
             15 MAKE_FUNCTION            2
             18 STORE_NAME               2 (insort_right)

     22          21 LOAD_NAME            65282
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python2.7/dis.py", line 43, in dis
        disassemble(x)
      File "/usr/lib/python2.7/dis.py", line 97, in disassemble
        print '(' + co.co_names[oparg] + ')',
    IndexError: tuple index out of range

It's no surprise if this bad file crashed the interpreter. Just delete it.

[ericvsmith]

Was this file generated by CPython from a .py file? If so, can you share the .py file?

If not, how was this file generated? As eryksun says, it appears to not be a valid .pyc file.

[PaweZduniak]

This file is created by fuzzer

[brettcannon]

If it was created by a fuzzer then this isn't a bug as we do no validation of bytecode formatting as we assume it was generated by Python and not an external, malicious source.

[vstinner]

we assume it was generated by Python and not an external, malicious source.

Said differently: you must not trust .py or .pyc downloaded from untrusted sources. Executing arbitary .py or .pyc file allows to execute arbitrary Python code.

Instead of writing complex code to inject machine code in the Python evaluation loop (Python/ceval.c), just execute "import os; os.system('echo pwn!')" which runs an arbitrary shell command. Compile it to .pyc if you want to "exploit" the PYC path.